* iptables
  - reject with reset instead of drop? maybe
    \ consider it
    \ src: https://www.digitalocean.com/community/tutorials/how-to-choose-an-effective-firewall-policy-to-secure-your-servers
    * tcp reset
      \ -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    * udp reject with icmp
      \ REJECT with ICMP Port Unreachable
      \ src: https://www.digitalocean.com/community/tutorials/how-to-choose-an-effective-firewall-policy-to-secure-your-servers
  - ICMPs
    - block deprecated ICMPs
      \ Some ICMP types are deprecated, so they should probably be blocked unconditionally. Among these are ICMP source quench (type 4 code 0) and alternate host (type 6). Types 1, 2, 7 and type 15 and above are all deprecated, reserved for future use, or experimental.
    - block ICMP redirect messages (type 5)
      \ src: https://www.digitalocean.com/community/tutorials/how-to-choose-an-effective-firewall-policy-to-secure-your-servers
      * block ICMP router advertisement (type 9) and router solicitation (type 10) packets.
        \ requires redirect, apparently.
    - block ICMP type 13 - timestamp request
      \ src: https://www.digitalocean.com/community/tutorials/how-to-choose-an-effective-firewall-policy-to-secure-your-servers
    - allow incoming for ESTABLISHED,RELATED of the following ICMPs:
      \ Type 0 — Echo replies: These are responses to echo requests (pings).
      \ Type 3 — Destination Unreachable: Legitimate destination unreachable packets are responses to requests created by your server indicating that the packet could not be delivered.
      \ Type 11 — Time exceeded: This is a diagnostic error returned if a packet generated by your server died before reaching the destination because of exceeding its TTL value.
      \ Type 12 — Parameter problem: This means that an outgoing packet from your server was malformed.
      \ Type 14 — Timestamp responses: These are the responses for timestamp queries generated by your server.
      \ src: https://www.digitalocean.com/community/tutorials/how-to-choose-an-effective-firewall-policy-to-secure-your-servers
    - probably block all other ICMPs - as policy rule(aka last)
  * put all DROPs before all other ACCEPT rules! even though default policy is DROP already.
  - connection limiting
    \ connlimit
    \ src: https://www.digitalocean.com/community/tutorials/how-to-choose-an-effective-firewall-policy-to-secure-your-servers
  - rate limit
    \ --limit 10/second
    \ limit, hashlimit, recent
    \ src: https://www.digitalocean.com/community/tutorials/how-to-choose-an-effective-firewall-policy-to-secure-your-servers
  - TODO: check router logs for it lists iptables firewalls rules added!
    \ also check with telnet?-can't?it's limited
  - need this
    \ sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    \ src: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04
  * more
    * see more in /etc/iptables/simple_firewall.rules
    * see /etc/ufw/*
      \ TODO: when done with it, uninstall ufw and gufw!
    - iptables -S
      \ sudo iptables -vS
  * see ~/*.nft for more rules from nftables that I might want to port back
    \ not using nftables due to bugged and the likeliness bugs I find will be fixed is slim-ish enough that I don't wanna bother! iptables should be more stable
  - conntrack established on OUTPUT with sport
    \ sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    \ sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    \ src: https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands
    \ ok actually this for allow outgoing ssh:
    \ sudo iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    \ sudo iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  - multiport example for allowing INCOMING http and https
    \ sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    \ sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    \ src: https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands
  * use:
    \ sudo xtables-multi iptables-save -t table
    \ sudo xtables-multi iptables-restore [file]
    \ because iptables-save is a symlink to xtables-multi
  - reject with RST
    \ src: https://www.digitalocean.com/community/tutorials/how-to-implement-a-basic-firewall-template-with-iptables-on-ubuntu-14-04
    \ Attempting to reach a closed UDP port will result in an ICMP "port unreachable" message. We can imitate this by typing:
    \ sudo iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
    \ Attempting to establish a TCP connection on a closed port results in a TCP RST response:
    \ sudo iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    \ For all other packets, we can send an ICMP "protocol unreachable" message to indicate that the server doesn't respond to packets of that type:
    \ sudo iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
    * note ICMP rate is 1 per second
      \ as per: sudo sysctl net.ipv4.icmp_ratelimit
      \ net.ipv4.icmp_ratelimit = 1000
      \ (miliseconds)


* INFO:
  * "only the first packet in a connection will be evaluated against the NAT rules."
    \ "Any nat decisions made for the first packet will be applied to all subsequent packets in the connection without additional evaluation. Responses to NAT'ed connections will automatically have the reverse NAT rules applied to route correctly."
    \ src: https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture
  * chain traveral order
    \ Incoming packets destined for the local system: PREROUTING -> INPUT
    \ Incoming packets destined to another host: PREROUTING -> FORWARD -> POSTROUTING
    \ Locally generated packets: OUTPUT -> POSTROUTING
    \ src: https://www.digitalocean.com/community/tutorials/a-deep-dive-into-iptables-and-netfilter-architecture


